Google was caught bypassing privacy settings in Safari last week, and now …

Google was caught last week bypassing default privacy settings in the Safari browser in order to serve up tracking cookies. The company claimed the situation was an accident and limited only to the Safari Web browser, but today Microsoft claimed Google is doing much the same thing with Internet Explorer.

In a blog post titled "Google bypassing user privacy settings" Microsoft's IE Corporate Vice President Dean Hachamovitch states that "When the IE team heard that Google had bypassed user privacy settings on Safari, we asked ourselves a simple question: is Google circumventing the privacy preferences of Internet Explorer users too? We’ve discovered the answer is yes: Google is employing similar methods to get around the default privacy protections in IE and track IE users with cookies."

Hachamovitch explains that IE's default configuration blocks third-party cookies unless presented with a "P3P (Platform for Privacy Preferences Project) Compact Policy Statement" indicating that the site will not use the cookie to track the user. Microsoft accuses Google of sending a string of text that tricks the browser into thinking the cookie won't be used for tracking. "By sending this text, Google bypasses the cookie protection and enables its third-party cookies to be allowed rather than blocked," Microsoft said.

The text allegedly sent by Google actually reads "This is not a P3P policy" and includes a link to a Google page which says cookies used to secure and authenticate Google users are needed to store user preferences, and that the P3P protocol "was not designed with situations like these in mind."

Microsoft said it has contacted Google to ask the company to "commit to honoring P3P privacy settings for users of all browsers." Microsoft also updated the Tracking Protection Lists in IE9 to prevent the tracking described by Hachamovitch in the blog post. Ars has contacted Google to see if the company has any response to the Microsoft allegations, and we'll update this post if we hear back.

UPDATE: It turns out Facebook and many other sites are using an almost identical scheme to override Internet Explorer's privacy setting, according to privacy researcher Lorrie Faith Cranor at Carnegie Mellon University. "Companies have discovered that they can lie in their [P3P policies] and nobody bothers to do anything about it," Cranor wrote in a recent blog post.

UPDATE 2: Google has gotten back to us with a lengthy reply, arguing that Microsoft's reliance on P3P forces outdated practices onto modern websites, and points to a study conducted in 2010 (the Carnegie Mellon research from Cranor and her colleagues) that studied 33,000 sites and found about a third of them were circumventing P3P in Internet Explorer.

"Microsoft uses a 'self-declaration' protocol (known as 'P3P') dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form," Google Senior VP of Communications and Policy Rachel Whetstone says in a statement e-mailed to Ars. "It is well known—including by Microsoft—that it is impractical to comply with Microsoft’s request while providing modern web functionality."

Facebook's "Like" button, the ability to sign into websites using your Google account "and hundreds more modern Web services" would be broken by Microsoft's P3P policy, Google says. "It is well known that it is impractical to comply with Microsoft’s request while providing this web functionality," Whetstone said. "Today the Microsoft policy is widely non-operational."

That 2010 research even calls out Microsoft's own msn.com and live.com for providing invalid P3P policy statements. The research paper further states that "Microsoft's support website recommends the use of invalid CPs as a work-around for a problem in IE."

Just to be fair with Google...why not have a separate article highlighting the feedback received from Google and other pointers from Lorrie instead of doing an Update 1 and Update 2 Edits on the same article ?

There are already 100+ comments here spewing venom on Google's evil policies...let the readers decide and express their opinions once they get to hear Google's take on the controversy.. and hence I recommend you do a follow-up article separately.

We are working on a separate story, but it won't be a simple "Google responds" one.

Along these lines, what's with the parade of 'privacy advocates' who will whine up wazoo about Facebook or Google's privacy policies and cookies, but can't be bothered to clear their cookies or, heaven forbid, use an anonymous VPN or TOR?

Because I shouldn't have to? Why would I want to deal with a VPN or a slow TOR connection for everyday browsing just to keep someone like Google from stepping outside their bounds?

So basically we should all stick our heads in the sand because you're lazy and want to pretend like the entire Internet is your friendly Uncle Ted?

I'm kind of reminded of the sort of people who believe Uncle Ted instead when their child comes and says "he's been touching me."

Forget about Google... there's probably some hick at the ISP laughing at you guys every time you visit the homepage for your Furry Convention.

I'm also reminded of the kind of people who think 'Private Browsing' on a shared computer is actually private... FYI there's probably some bored guy somewhere watching the requests upstream.

I'm really starting to think using the Internet should require a license...

Hwuh? I use ie7, what's wrong with that? Hwuh? I visit pronz at library... what's wrong with that? Hwuh? Limewire is bad? But it works for me... Hwuh! Google is tracking me with a cookie? OMG It's the end of the world!! Google is so evilz!! Save me congress, from teh Google!!

Seriously guys....

These home analogies are a wet dream from someone who lives a delusion of comfort and convenience entirely outside of reality. Would you let the whole world into your living room? Could they even fit? So silly.

This whole "Gotcha" thing on Google with over sensationalized headlines is getting out of control.

Let's be honest as well. Microsoft is not an unbiased party. They are going to spin anything they can to portray Google as being run by a Satanic cult bent on collecting everybody's information just so Brin and company can read it all in front of the fireplace while smoking a cigar, drinking and chuckling.

From Google's response it seems like the +1 functionality would break were they to send valid P3P headers. Is this the case with Facebook "Like" as well? Is this why facebook does the same thing?

If they are only using it so that the +1 or "like" functionality works I don't have a problem with it. If they are using it as a tracking cookie for advertising purposes that sucks. Anyone care to share their opinion on it?

If they are only using it so that the +1 or "like" functionality works I don't have a problem with it.

I have a problem with anyone who doesn't respect my privacy wishes, wether the feature is innocuous or not the moment a party like Google decides to interpret those wishes, they invariably end up diminishing my choice. Now I know Safari defaults to "no 3rd party cookies" and it is an all or nothing proposal, no whitelist. But I actually know that is the setting and I expect Apple to enforce that setting without fail, no accommodations to the big boys like Facebook and for what is to me their silly user features. I said this before, the onus is on Google and Facebook and others to find a way to make cross domain exchanges something a user can transparently agree to. Until then they can ask users to demote their privacy setting so they can +1 and like to their heart's content. Why is no one thinking that is an available choice?

Having turned off all 3rd party cookies in chrome I can confirm that I am not getting any 3rd party cookies on sites, and everything seems to be working fine... The problem is with Safari this is the default option, but it is not 100% correct as it allows certain 3rd party cookies anyway, and IE relies on a system that is just broken... What is Chrome doing differently as far as handling 3rd party cookies?

I agree as the first line of defense, but it takes two to Tango. Google and Facebook should not be bypassing the stated intent of browser features, and whatever work they do with browser makers to accommodate their features it should be transparent to us. The way they went about getting their way should not be celebrated, even if MS was pig headed about P3P and had an inherently poor implementation, and even if Apple was lax with the cookie implementation and defaults to a privacy setting that is too restrictive.

The whole situation is patently absurd - in essence, we have one vendor crying "but our browser would be secure, if only you'd stop exploiting it!" to another.

I mean, stop for a moment and think about it: the vendor that is willing to honor your stated preference for privacy isn't the vendor that anyone with any sense is really worried about exposing private data to in the first place.

Yes like I said, plenty of people know how to work around that, unfortunately we expect a company that repeatedly claims to be not "evil" to have a slightly higher standard of ethics than warez and porn sites.

The problem is, Google has never in their history claimed to "not be evil". That's just a belief of the ignorant.

The whole situation is patently absurd - in essence, we have one vendor crying "but our browser would be secure, if only you'd stop exploiting it!" to another.

I mean, stop for a moment and think about it: the vendor that is willing to honor your stated preference for privacy isn't the vendor that anyone with any sense is really worried about exposing private data to in the first place.

Don't get me wrong, Apple and MS need to fix their browsers. But I don't buy the because there is no harm in it we don't need to abide by another vendor's privacy rules (wether bugs or wink wink we won't stop you hole). No one is blameless in this, and yes there a whole lot more unscrupulous people out there that would exploit any weakness in privacy models. And I'm well aware cookies aren't the only way to track, I'm sure with always on routers many IP addresses remain essentially static.

But I'll say this, Google and Facebook are bypassing the browser's stated intent because they are too lazy to form their own standard that can reasonably accommodate modest cross domain features without making privacy models meaningless. Yup tall order, not sure you can do it without popups asking for very specific permissions and do so in a way that doesn't make a browser's privacy model even more exploitable by more unscrupulous kind.

I guess for some knowing that privacy policies are essentially a joke these days feel like it might as well stay a joke.

The whole situation is patently absurd - in essence, we have one vendor crying "but our browser would be secure, if only you'd stop exploiting it!" to another.

I mean, stop for a moment and think about it: the vendor that is willing to honor your stated preference for privacy isn't the vendor that anyone with any sense is really worried about exposing private data to in the first place.

Don't get me wrong, Apple and MS need to fix their browsers. But I don't buy the because there is no harm in it we don't need to abide by another vendor's privacy rules (wether bugs or wink wink we won't stop you hole). No one is blameless in this, and yes there a whole lot more unscrupulous people out there that would exploit any weakness in privacy models. And I'm well aware cookies aren't the only way to track, I'm sure with always on routers many IP addresses remain essentially static.

But I'll say this, Google and Facebook are bypassing the browser's stated intent because they are too lazy to form their own standard that can reasonably accommodate modest cross domain features without making privacy models meaningless. Yup tall order, not sure you can do it without popups asking for very specific permissions and do so in a way that doesn't make a browser's privacy model even more exploitable by more unscrupulous kind.

I guess for some knowing that privacy policies are essentially a joke these days feel like it might as well stay a joke.

I think the only thing that can fix this now is having site owners have prominent links that explain their privacy situation, including any external pieces on their sites - so sites that have +1, likes, tweets, any social media should have this included in their privacy statement with links to those other providers (google, facebook, twitter) privacy statements. Site owners are just as bad as the browsers - by placing all this crap on their pages without really caring that they could be giving away their most important asset...

Browsers: a) should block ALL 3rd party cookies if that option is selected - this is not hard to do because the browser KNOWS what site you are on, and any cookie from anything else would be 3rd party.b) Need to work together to come up with a way to handle user privacy that is obvious to the end user - heck you say cookies to a end user and most will ask for milk... There needs to be plain English when it comes to this "DO YOU WANT 3RD PARTIES TO BE ABLE TO TRACK YOU", not "3rd party cookies disabled (kinda)"

Websites: Need to be truthful about all the privacy and content sharing that goes on...

The only ones not to blame here are the users - they have done nothing wrong.

The whole situation is patently absurd - in essence, we have one vendor crying "but our browser would be secure, if only you'd stop exploiting it!" to another.

I mean, stop for a moment and think about it: the vendor that is willing to honor your stated preference for privacy isn't the vendor that anyone with any sense is really worried about exposing private data to in the first place.

Don't get me wrong, Apple and MS need to fix their browsers. But I don't buy the because there is no harm in it we don't need to abide by another vendor's privacy rules (wether bugs or wink wink we won't stop you hole). No one is blameless in this, and yes there a whole lot more unscrupulous people out there that would exploit any weakness in privacy models. And I'm well aware cookies aren't the only way to track, I'm sure with always on routers many IP addresses remain essentially static.

But I'll say this, Google and Facebook are bypassing the browser's stated intent because they are too lazy to form their own standard that can reasonably accommodate modest cross domain features without making privacy models meaningless. Yup tall order, not sure you can do it without popups asking for very specific permissions and do so in a way that doesn't make a browser's privacy model even more exploitable by more unscrupulous kind.

I guess for some knowing that privacy policies are essentially a joke these days feel like it might as well stay a joke.

I think the only thing that can fix this now is having site owners have prominent links that explain their privacy situation, including any external pieces on their sites - so sites that have +1, likes, tweets, any social media should have this included in their privacy statement with links to those other providers (google, facebook, twitter) privacy statements. Site owners are just as bad as the browsers - by placing all this crap on their pages without really caring that they could be giving away their most important asset...

Browsers: a) should block ALL 3rd party cookies if that option is selected - this is not hard to do because the browser KNOWS what site you are on, and any cookie from anything else would be 3rd party.b) Need to work together to come up with a way to handle user privacy that is obvious to the end user - heck you say cookies to a end user and most will ask for milk... There needs to be plain English when it comes to this "DO YOU WANT 3RD PARTIES TO BE ABLE TO TRACK YOU", not "3rd party cookies disabled (kinda)"

Websites: Need to be truthful about all the privacy and content sharing that goes on...

The only ones not to blame here are the users - they have done nothing wrong.

The tricky thing is that the common user doesn't truly understand the technology. They just want the cool stuff to work. You tell the user "allowing third-party cookies means you are sharing your information with just about anyone" and they will err on the side of caution and just block all third-party cookies. The moment they see that people can click the Facebook "like" button on other sites, they get excited about this cool feature, but they think their browser is broken because it's not showing up for them... or they think the website is broken... or they think Facebook is broken. It takes tons of explaining to point out to them that these features require third-party cookies to function, but they've already been sold the idea that third-party cookies are nothing but evil. So then, they beg for features like a universal "like" button, but want to have it without the "evil". It just doesn't make sense from a technical standpoint.

This same thing happened with cookies altogether in the early days. Some browsers would, by DEFAULT, block cookies and prompt users each time. They'd click to block the cookies, but complain when the website didn't recognize them anymore. Or, they'd complain that they had to keep accepting cookies over and over. Eventually, in the war between convenience and privacy, convenience won out and people were happier with a web browser that was less naggy and a World Wide Web that was more functional and cohesive.

P3P attempted to fix this problem by providing granularity, but the result it... people can't be bothered to think about settings. They will, more often than not, just accept the default settings. When those default settings break popular functionality on the web, people complain about their browsers, or they complain about the websites, etc... They never recognize the real problem is their own ignorance of these issues and the settings they should be familiar with.

At the end of the day, though, the common user is what the web ultimately adapts to. Since the common users just accepted the default P3P settings of IE, but the common user wanted things like "Like" buttons to "just work", Microsoft's own recommendation on their support sites was basically to tell web developers how to circumvent this situation. Over time, this became the common practice among web developers to get around IE's broken implementation. Sure, for some people, their tweaking of the P3P policy settings was intentional and they will be upset to find out it's mostly being ignored. For the majority of users (the common users), they just want these cool features to work and they don't want to have to customize their browser to get these features to work. When things don't "just work", something is broken and someone has to pay.

That answers your question. I wonder what trap you thought you were laying for melgross over this, rather than coming out and making the point you clearly wanted to make.

No it doesn't. Spend 2 minutes coming up with how a computer listening to open wifi traffic is able to pick up someones password, then you'll just realize the absurdity of the claim of stealing them.

Ah, I suspected you were going to take that path but hoped I was wrong.

You're right - a lot of data is sent over WiFi and it's easy to sniff out some passwords.

So why did Google store the details? What's the justification for keeping the data? And why did Google read anything more than simply the network details to help identify location? What possible justification did they have for reading traffic?

Even Google admitted is was wrong. You should probably follow their lead on this.

That answers your question. I wonder what trap you thought you were laying for melgross over this, rather than coming out and making the point you clearly wanted to make.

No it doesn't. Spend 2 minutes coming up with how a computer listening to open wifi traffic is able to pick up someones password, then you'll just realize the absurdity of the claim of stealing them.

Ah, I suspected you were going to take that path but hoped I was wrong.

You're right - a lot of data is sent over WiFi and it's easy to sniff out some passwords.

So why did Google store the details? What's the justification for keeping the data? And why did Google read anything more than simply the network details to help identify location? What possible justification did they have for reading traffic?

Even Google admitted is was wrong. You should probably follow their lead on this.

They repurposed an open source tool to capture WiFi info. Was there any suggestion by any of the government investigations that the captured packets were used for anything nefarious, or that they'd even be useful for anything by Google, beyond identifying open WiFi connections in an area? I haven't seen what was captured, but it sounded like they only caught snippets as the street view vehicles travelled around. The likely usefulness of any packets was low. Google's carelessness was high, but any real damage would be from someone else deliberately doing the same thing, not Google storing a minute or two of your packets.

What's getting missed is that this is informal. It started with the utterance of a single Google employee in a particular meeting, and the quote was something more like "...because that would be evil." as an explanation why something shouldn't be done.

It later morphed into "You can be successful without doing evil", but that's not the same as not BEING evil.

Later, when the China situation arose, there was a "scale" pertaining to evil.

The problem is, nobody has defined "evil". Some people, in fact, think the very act of advertising itself IS evil. After all, it makes "people the product", that group proclaims.

Others say that trying to make money is evil. Putting investors above consumers is evil to the consumers. Putting consumers above investors is evil to the investors. Making a decision that a bunch of people don't like is evil. Doing something one person dislikes is evil (to that person).

Ultimately, if "evil" is left to the eye of the beholder, no person, corporation, animal, or other entity will ever be capable of escaping the label of "evil."

Also, DOING evil and BEING evil can be seen as different things to different people. Some might even suggest that by providing money TO a corporation that, in turn, is doing things you perceive as being "evil" that you, yourself, are also evil. It could also be extended to say that even though you might not provide direct money to the corporation, if you view a page which has an advertisement on it which, in turn, generates money for a corporation that you are supporting evil which, in turn, means you are either evil, or doing evil.

This word "evil" keeps getting thrown around like it's in fashion, along with "fail" and "epic" and "mealtime".

Perhaps it will be important for anyone who uses the word "evil" to first define their particular use of the word and how they see it clearly being defined in the context they are using it.

That answers your question. I wonder what trap you thought you were laying for melgross over this, rather than coming out and making the point you clearly wanted to make.

No it doesn't. Spend 2 minutes coming up with how a computer listening to open wifi traffic is able to pick up someones password, then you'll just realize the absurdity of the claim of stealing them.

Ah, I suspected you were going to take that path but hoped I was wrong.

You're right - a lot of data is sent over WiFi and it's easy to sniff out some passwords.

So why did Google store the details? What's the justification for keeping the data? And why did Google read anything more than simply the network details to help identify location? What possible justification did they have for reading traffic?

Even Google admitted is was wrong. You should probably follow their lead on this.

You must either not be a programmer, or you're a holier-than-thou one. It's a pretty simple cause of "leaving the defaults on." These are hacked together street view cars that they were sending out for two purposes. One, to take pictures for street view. There were other companies doing this, but they charged a bunch for the photos and Google felt they could do it themselves for cheaper. Two, to map out WiFi data to have a fall-back option for poor GPS situations. Again, there were other companies doing this, but they charged a bunch for the photos and Google felt they could do it themselves for cheaper.

So, you're a programmer. You're told these cars will drive around capturing this data and they're not exactly sure what kind of useful things can be done with this data, but the first step is to collect it, the next will be to analyze it and use it. So, instead of writing 100% of the code yourself, you find an open source solution. You plug it into your own code, and you leave its defaults on. It captures a bunch of data for a while and then someone looks at the data and says, "Eek, there's some bad stuff in here." The first realization is, "oops, we shouldn't be collecting that! let's delete it!". The next realization is, "if we delete it, won't it just look like we're trying to cover something up?" So, instead, you let the world know you did it, you apologize for making the mistake, and you ask the world how you should dispose of the data properly.

You make it sound as though they, instead, said "We knew we were collecting this sensitive data from day one, we hoped to get away with it, we were caught... so now we're sorry, and we won't do it again." This was not the case at all, and if you had read the report by the independent third party who investigated this, you'd know this. I suspect, instead, you just skimmed some headlines and felt educated.

Given the reality of the situation, it truly is a case of an unintentional act. Did the programmer intentionally put the code into his program? Sure, but all signs point to the fact that he/she didn't put in the thought to determine whether the default options needed to be tweaked.

Given your reasoning, you could blame the programmer(s) of the open source software for clearly and intentionally writing the software to capture stuff. So, was the mistake made out of a poor decision? Sure. Did they apologize for the poor decision? Sure. Was there malice and intent? No.

By the way, the reason that an invalid policy is meant to be treated as an empty policy by the spec is probably this:

"If no policy reference file is available for a given site, user agents MUST assume (an empty) policy reference file exists at the well-known location with a 24 hour expiry, and therefore if the user returns to the site after 24 hours, the user agent MUST attempt to fetch a policy reference file from the well-known location again. User agents MAY check the well-known location more frequently, or upon a certain event such as the user clicking a browser refresh button. Sites MAY place a policy reference file at the well-known location that indicates that no policy is available, but set the expiry such that user agents know they need not check every 24 hours."

That answers your question. I wonder what trap you thought you were laying for melgross over this, rather than coming out and making the point you clearly wanted to make.

No it doesn't. Spend 2 minutes coming up with how a computer listening to open wifi traffic is able to pick up someones password, then you'll just realize the absurdity of the claim of stealing them.

Ah, I suspected you were going to take that path but hoped I was wrong.

You're right - a lot of data is sent over WiFi and it's easy to sniff out some passwords.

So why did Google store the details? What's the justification for keeping the data? And why did Google read anything more than simply the network details to help identify location? What possible justification did they have for reading traffic?

Even Google admitted is was wrong. You should probably follow their lead on this.

Yes, it doesn't sound so hyperbolic or that big of a deal when no sensitive information could have been stolen.

So, you're a programmer. You're told these cars will drive around capturing this data and they're not exactly sure what kind of useful things can be done with this data, but the first step is to collect it, the next will be to analyze it and use it.

I'm frankly shocked by this post. Maybe it's because in my country, doing that directly contravenes privacy laws and corporations can land themselves in severe hot water for doing exactly this, leading to penalties for both the corporation and (personally) the directors. The company I work for was recently audited on exactly this (no problems, we only collect the right data for the right reasons) and we're audited every year to ensure we keep within the bounds of law.

I don't think it was malicious, and have never inferred that. It was just that particular type of stupidity exhibited by people who are very smart in one field but completely unaware of the realities in other fields.

You've invented some 'holier than thou' position that you believe I occupy, but it's just that I've been involved in development, corporate life and large scale private data sets for a few decades now and see this as a big deal. You don't screw around with other people's data unless you've got a really good reason and have their permission. I don't see that as controversial, or even debatable.

Maybe it's a US thing - the attitude there to private data seems to be all over the place, from permissions to storage. That's tripped up Apple recently (stupidly allowing the address book to be read by apps without explicit user permission, the location tracking thing), Google in the past (collecting WiFi data) and now (stepping around browser controls), and I'm pretty sure we could find something about Microsoft if we looked for it.

Not sure what the big deal is ... you can get anything from anywhere at anytime. People who think their browsers are secure are delusional. If you really want to go that extra mile, setup a proxy server, among many other things you could do to keep yourself anonymous and keep your online dealings private.

Not sure what the big deal is ... you can get anything from anywhere at anytime. People who think their browsers are secure are delusional. If you really want to go that extra mile, setup a proxy server, among many other things you could do to keep yourself anonymous and keep your online dealings private.

Or better yet, unplug yourself from the internet.

So your argument is "the internet is already imperfect, so we should let companies use exploits to track us?"

hmmm

"You already live in a bad neighborhood, so you shouldn't complain when you get shot, it's your own fault for living there. Maybe rather than calling the police, and having them stop the perpetrator, you should just pack your stuff and leave."

I am in the process of building a new system (Linux) to be used with VMs.I need VMs for a different reason, but I'm thinking I no longer trust google's binaries on my system.

I need Google Earth for my work and I need chrome to test with.I think though it is time for those binaries to live in a VM where they can't touch my real data.

Midori is a really good browser on sites where the html isn't total shit, and Opera does as good a job as chrome on sites where the html is total shit, so I think I'll use Midori as my primary browser.

I use to really like google products, but lately time and time and time again, they've really started to annoy me. When they launched google+ I tried it and was not impressed, never went back, but they added stuff to their search page that I guess was suppose to notify me of updates in google+ but completely broke my ability to search. They broke their search engine page, their flagship product, to give me a bleeping notification of an update in the social network? What kind of crap is that? They fixed it in a few hours, but why the hell give me updates to the social network when I'm not using it?

Adsense - for over a decade we've been asking for a fix to adsense so it doesn't use document.write() but they refuse to do it. Google is a multi-billion dollar company yet they can't hire someone to fix their adsense code to modern standards? What the hell is up with that?

Android emulator - it's great that they offer it for Linux but not the Market App. Oh no, have to be a cell phone vendor to get that, so when testing a web application on different browsers in different versions of android, it's a PITA to install the different browsers, has to be done manually. Why? What harm would it possibly do to include the market app in the emulator?

I'm just really tired of google. They aren't the company they were back when I first started using them.They still have some nice attributes, I love their webmaster tools and image search and summer of code but I really am starting to get fed up with the darker side of google.